Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.
Published: 2025-12-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting allowing malicious scripts to execute in profile pages viewed by other users
Action: Patch Immediately
AI Analysis

Impact

A stored XSS flaw resides in the YouTube Video "value" field of the Ultimate Member WordPress plugin. When an authenticated user with Subscriber-level access or higher edits the field to contain a malicious script, the input is saved without proper sanitization or escaping. Any user who views that profile page receives the injected script in their browser, enabling attackers to steal session cookies, deface content, or perform phishing attacks directly from the profile view.

Affected Systems

The vulnerability affects the Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress. All releases up to and including version 2.11.0 are impacted. Users running these plugin versions on any WordPress site are susceptible, regardless of WordPress core version.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, while the EPSS score of less than 1% shows the likelihood of exploitation is very low at the time of analysis. The flaw is not catalogued in the CISA KEV list. Exploitation requires an authenticated session with at least Subscriber privileges and interaction with the profile editing interface. Once the malicious input is stored, it propagates to any visitor of the profile page, making the attack vector internal but lateral to other users’ browsers.

Generated by OpenCVE AI on April 21, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate Member to version 2.11.1 or later, which sanitizes YouTube URLs and applies proper output escaping.
  • If an immediate update is not feasible, disable the YouTube video field in the plugin settings or restrict the field to accept only plain, validated URLs, thereby preventing script injection.
  • Examine all existing user profiles for suspicious YouTube URLs and remove or clean any that contain script tags or unexpected characters.
  • Consider implementing a site‑wide Content Security Policy that blocks inline scripts to provide an additional layer of defense against stored XSS.

Generated by OpenCVE AI on April 21, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultimatemember
Ultimatemember ultimatemember
Wordpress
Wordpress wordpress
Vendors & Products Ultimatemember
Ultimatemember ultimatemember
Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.
Title Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ultimatemember Ultimatemember
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:07.971Z

Reserved: 2025-11-14T20:12:30.355Z

Link: CVE-2025-13217

cve-icon Vulnrichment

Updated: 2025-12-17T18:52:11.883Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T19:16:00.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses